Delaware, USA – January 29, 2018 – Threat actors leverage new Mezzo banking trojan to prepare a large-scale attack. At the moment, this trojan just collects and uploads data to the command and control servers, but it has the functionality to replace the files of financial software, as researchers from Kaspersky Lab report. Malware can counter security solutions, causing malfunctions in their operation. In case Mezzo discovers the preparation to a transaction, it sends information about it to the C&C server in a password-protected archive and prepares to replace the file during the data transfer to the bank (if it receives a file for the substitution). Also, the researchers found a link between Mezzo, CryptoShuffler trojan and AlinaBot. Methods of malware distribution are not disclosed yet. In 2016, the attackers performed a similar campaign against small and medium-sized businesses using TwoBee trojan.
To protect against such malware, it is necessary to monitor malfunctions in the operations of security solutions and to investigate emergency shutdowns of financial software. You can also use Sysmon Framework for ArcSight and Splunk to detect anomalies and suspicious events that can be tied to malware activity.